Blog Post

Healthcare and Life Sciences Blog
2 MIN READ

Don’t block your users, use Conditional Access to limit what actions a user can perform

Craig Eidelman's avatar
Dec 10, 2018

One of the most common scenarios I hear from my customers is “We want to prevent people from using Outlook on the Web or SharePoint on a personal device.” The main reason is that if attachments in email or files in SharePoint contain Protected Health Information (PHI), customers want to ensure that those files can’t move to unmanaged devices. While you can use Azure Information Protection (AIP) to label and encrypt files, many organizations are just starting their information protection journey and need a solution that can keep data at rest from being moved off of the cloud storage environment immediately. Customers also want to ensure that physicians and other clinicians can still access their email from web browsers on non-managed devices so they can stay productive and communicate effectively with patient specific information.

 

How can we solve this challenge? Azure Active Directory Conditional Access with session controls to enable limited experiences can help ensure data stays inside the cloud service. This solution can provide your organization the right balance of security and productivity. For the purpose of this article I am discussing how we can enable session control within SharePoint Online, OneDrive for Business and Exchange Online using native controls in those services and Azure Active Directory Premium. You can extend this feature to other cloud services using Microsoft Cloud App Security and Azure Active Directory premium as well, but that discussion is for another time.

 

 

Azure Active Directory Conditional Access

What does the user experience look like? Let’s use the example where an end user wants to check email and look at a file using a kiosk machine at a hotel. The user will go through their normal process to go to Outlook on the Web but when they get to an email that contains an attachment, they will see a banner at the top of the email informing them that they are in a limited session and cannot download, print, or sync to that device. Additionally, the “download” and “print” options will not appear on the file or in the Office Apps.

 

 

When the user clicks on OneDrive for Business or SharePoint Online, the user also will see the same banner and will have a similar experience.

 

 

 

The file can be only opened in PowerPoint Online and cannot be downloaded to the device or printed.

 

These controls ensure that all documents, not just the ones with PHI, cannot be downloaded without the need for additional security tools. This ensures that documents will stay in the controlled environment and not move anywhere else. The end user can check email, edit documents in the Office Web Apps, and work as they normally would without the need for other services to protect that information. You can keep your clinical workers collaborating with the assurance that documents will not be downloaded to unmanaged devices and therefore reduce the risk of a data breach.

 

To learn more about how to configure these options, please review the following links.

Updated Jul 12, 2019
Version 2.0
  • I like how companies have become more "open" to the outside world without having to let down on Security. They are still in control but there is still enough room to work in. Adding the Windows Defender ATP to Conditional Access was even more useful. Thanks!

  • JB BOONJAROEN's avatar
    JB BOONJAROEN
    Copper Contributor

    If we use shaepoint online and enable RMS for protect  Data encryption or data as rest.

    1.How to allow owner document open for via office web app?

    2.If we are order EMS+S E3 can assign AIP for use edit document via office web app?

     

    Best regard

    Jumrat

  • JB, The features you are requesting is on the roadmap for early 2019 to enable Office Web Apps to edit AIP protected documents.